Last week, authorities issued a bulletin warning about potential terrorist attacks on hospitals.
Security Terror Threats Against Hospitals
On March 18, 2025, the American Hospital Association (AHA) and the Health Information Sharing and Analysis Center (Health-ISAC) saw a social media post about the active planning of a coordinated, multi-city terrorist attack on hospitals in the coming weeks. The next day, the AHA and Health-ISAC issued a joint alert, saying they were working with the FBI and awaiting additional details that could be shared with their members.
Although terrorists usually don’t advertise upcoming attacks, social media posts threatening a wave of violence against hospitals in cities with 100,000 and 500,000 residents “may encourage others to engage in malicious activity directed toward the health sector.” Therefore, whether real or not, the threat is a reason to prepare in case of copycat attacks.
As of March 20, the AHA and Health-ISAC were not aware of the existence of any additional information to corroborate the credibility of the security terror threat or to conclusively assert that the threat is a hoax or misinformation, according to John Riggi, national advisor for cybersecurity and risk at the AHA. “What we can say is that we are in daily communication with FBI headquarters, and they are actively and aggressively pursuing the alleged threat.”
One of the social media posts on X, formerly Twitter, came from American Kinetix, a global operational services support firm. The post describes a “highly credible threat” from ISIS- K (Islamic State Khorasan Province) against hospitals in mid-tier cities, using vehicles, armed attacks, and hostage-taking. American Kinetix asserts the intelligence came from chatter from ISIS-K training camps in Afghanistan.
Authorities are warning healthcare organizations to review and evaluate the coordination and capabilities of physical security, cybersecurity, and emergency management plans. They also recommend increasing relationships with local and federal law enforcement to streamline response efforts during an attack.
Uncorroborated threats pose a dilemma for law enforcement. They don’t want to add credibility to empty threats, but they also want to help potential targets shore up defenses in case the threats are real.
The HIPAA Security Rule is a Blueprint
HIPAA is designed to protect patient data security from threats of all kinds: cyberattacks, natural disasters, terrorism and theft.
The Security Rule requires healthcare organizations to use administrative, physical, and technical safeguards to maintain security. To prepare for and prevent a terrorist attack, follow the Security Rule guidance. Review your HIPAA risk analysis and risk management plan. Review your contingency plan and alert key staff to be ready.
If the worst happens and security is threatened or patient services are interrupted, the contingency plan will help manage the crisis and lessen the damage.
